@elevasis/core 0.22.0 → 0.24.0

package/src/auth/multi-tenancy/credentials/server/kek-loader.ts

@@ -1,37 +1,37 @@
-import { getSupabaseClient } from '../../../../supabase/server/client'
-import { setKek, CURRENT_KEY_ID } from './encryption'
-
-let loaded = false
-
-/**
- * Loads the platform credential KEK from Supabase Vault and registers it under
- * `CURRENT_KEY_ID` ('platform-v1').
- *
- * Idempotent: subsequent calls are no-ops.
- *
- * Fails fast on missing / malformed Vault KEK so misconfigured deploys do not
- * silently start without a usable encryption key.
- */
-export async function loadCredentialKEKs(): Promise<void> {
-  if (loaded) return
-
-  const supabase = await getSupabaseClient()
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- RPC isn't in generated types yet (run `supabase gen types` post-merge)
-  const { data, error } = await (supabase.rpc as any)('get_platform_credential_kek')
-  if (error) {
-    throw new Error(
-      `Failed to load platform credential KEK from Vault: ${error.message}. ` +
-        `Did you run provision-credential-kek.sql against this environment?`
-    )
-  }
-  if (typeof data !== 'string' || data.length === 0) {
-    throw new Error('Vault returned null/empty platform credential KEK')
-  }
-  const vaultKek = Buffer.from(data, 'hex')
-  if (vaultKek.length !== 32) {
-    throw new Error(`Vault KEK is ${vaultKek.length} bytes, expected 32`)
-  }
-  setKek(CURRENT_KEY_ID, vaultKek)
-
-  loaded = true
-}
+import { getSupabaseClient } from '../../../../supabase/server/client'
+import { setKek, CURRENT_KEY_ID } from './encryption'
+
+let loaded = false
+
+/**
+ * Loads the platform credential KEK from Supabase Vault and registers it under
+ * `CURRENT_KEY_ID` ('platform-v1').
+ *
+ * Idempotent: subsequent calls are no-ops.
+ *
+ * Fails fast on missing / malformed Vault KEK so misconfigured deploys do not
+ * silently start without a usable encryption key.
+ */
+export async function loadCredentialKEKs(): Promise<void> {
+  if (loaded) return
+
+  const supabase = await getSupabaseClient()
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- RPC isn't in generated types yet (run `supabase gen types` post-merge)
+  const { data, error } = await (supabase.rpc as any)('get_platform_credential_kek')
+  if (error) {
+    throw new Error(
+      `Failed to load platform credential KEK from Vault: ${error.message}. ` +
+        `Did you run provision-credential-kek.sql against this environment?`
+    )
+  }
+  if (typeof data !== 'string' || data.length === 0) {
+    throw new Error('Vault returned null/empty platform credential KEK')
+  }
+  const vaultKek = Buffer.from(data, 'hex')
+  if (vaultKek.length !== 32) {
+    throw new Error(`Vault KEK is ${vaultKek.length} bytes, expected 32`)
+  }
+  setKek(CURRENT_KEY_ID, vaultKek)
+
+  loaded = true
+}

package/src/auth/multi-tenancy/index.ts

@@ -1,26 +1,26 @@
-// Theme preset SSOT (const tuple + derived union + Zod enum)
-export * from './theme-presets'
-
-// Config types
-export * from './types'
-
-// Permission catalog (canonical PERMISSIONS constant + types)
-export * from './permissions'
-
-// Role management schemas
-export * from './role-management/index'
-
-// Organization types
-export * from './organizations/index'
-
-// User types
-export * from './users/index'
-
-// Membership types
-export * from './memberships/index'
-
-// Invitation types
-export * from './invitations/index'
-
-// Credentials types
-export * from './credentials/index'
+// Theme preset SSOT (const tuple + derived union + Zod enum)
+export * from './theme-presets'
+
+// Config types
+export * from './types'
+
+// Permission catalog (canonical PERMISSIONS constant + types)
+export * from './permissions'
+
+// Role management schemas
+export * from './role-management/index'
+
+// Organization types
+export * from './organizations/index'
+
+// User types
+export * from './users/index'
+
+// Membership types
+export * from './memberships/index'
+
+// Invitation types
+export * from './invitations/index'
+
+// Credentials types
+export * from './credentials/index'

package/src/auth/multi-tenancy/invitations/api-schemas.ts

@@ -1,104 +1,104 @@
-/**
- * Invitations Domain - Zod Validation Schemas
- *
- * Validation schemas for invitation management endpoints.
- * Includes request bodies, query params, and path params.
- *
- * Security:
- * - All schemas use .strict() to prevent mass assignment attacks
- * - Email validation prevents header injection
- * - Role enum validation prevents privilege escalation
- * - organizationId from JWT (not accepted in body for protected routes)
- */
-
-import { z } from 'zod'
-import { EmailSchema } from '../../../platform/utils/validation'
-import { MembershipRoleSchema } from '../memberships/api-schemas'
-
-// ============================================================================
-// Path Parameters
-// ============================================================================
-
-/**
- * Validate invitation ID in URL path
- * Used by: GET/DELETE /invitations/:id
- */
-export const InvitationIdParamSchema = z
-  .object({
-    id: z.string().min(1) // WorkOS invitation IDs
-  })
-  .strict()
-
-// ============================================================================
-// Request Bodies
-// ============================================================================
-
-/**
- * Send new invitation
- * POST /invitations
- *
- * Security:
- * - Email format validated (prevents header injection)
- * - roleSlug validated as non-empty slug; service layer checks against org_rol_definitions
- * - expiresInDays bounded (1-90 days)
- * - organizationId NOT in body (from JWT via requireOrganization middleware)
- */
-export const SendInvitationSchema = z
-  .object({
-    email: EmailSchema,
-    organizationId: z.string().optional(), // For WorkOS API - but typically from JWT
-    roleSlug: MembershipRoleSchema.default('member'),
-    expiresInDays: z.number().int().min(1).max(90).default(7)
-  })
-  .strict()
-
-/**
- * Accept invitation by token
- * POST /invitations/accept
- *
- * Security:
- * - Token validated (non-empty string)
- */
-export const AcceptInvitationSchema = z
-  .object({
-    invitation_token: z.string().min(1, 'Invitation token is required')
-  })
-  .strict()
-
-// ============================================================================
-// Query Parameters
-// ============================================================================
-
-/**
- * List invitations with filters
- * GET /invitations
- *
- * Filters:
- * - organizationId: Filter by organization
- * - email: Filter by email
- *
- * Security:
- * - Requires organizationId or userId filter
- * - Email validated
- */
-export const ListInvitationsQuerySchema = z
-  .object({
-    organizationId: z.string().optional(),
-    userId: z.string().optional(),
-    email: EmailSchema.optional(),
-    limit: z.coerce.number().int().min(1).max(100).optional(),
-    before: z.string().optional(), // WorkOS pagination cursor
-    after: z.string().optional() // WorkOS pagination cursor
-  })
-  .strict()
-  .refine((data) => data.organizationId || data.userId, { message: 'Either organizationId or userId must be provided' })
-
-// ============================================================================
-// TypeScript Type Exports
-// ============================================================================
-
-// Export inferred types for use in route handlers
-export type SendInvitationInput = z.infer<typeof SendInvitationSchema>
-export type AcceptInvitationInput = z.infer<typeof AcceptInvitationSchema>
-export type ListInvitationsQuery = z.infer<typeof ListInvitationsQuerySchema>
-export type InvitationIdParam = z.infer<typeof InvitationIdParamSchema>
+/**
+ * Invitations Domain - Zod Validation Schemas
+ *
+ * Validation schemas for invitation management endpoints.
+ * Includes request bodies, query params, and path params.
+ *
+ * Security:
+ * - All schemas use .strict() to prevent mass assignment attacks
+ * - Email validation prevents header injection
+ * - Role enum validation prevents privilege escalation
+ * - organizationId from JWT (not accepted in body for protected routes)
+ */
+
+import { z } from 'zod'
+import { EmailSchema } from '../../../platform/utils/validation'
+import { MembershipRoleSchema } from '../memberships/api-schemas'
+
+// ============================================================================
+// Path Parameters
+// ============================================================================
+
+/**
+ * Validate invitation ID in URL path
+ * Used by: GET/DELETE /invitations/:id
+ */
+export const InvitationIdParamSchema = z
+  .object({
+    id: z.string().min(1) // WorkOS invitation IDs
+  })
+  .strict()
+
+// ============================================================================
+// Request Bodies
+// ============================================================================
+
+/**
+ * Send new invitation
+ * POST /invitations
+ *
+ * Security:
+ * - Email format validated (prevents header injection)
+ * - roleSlug validated as non-empty slug; service layer checks against org_rol_definitions
+ * - expiresInDays bounded (1-90 days)
+ * - organizationId NOT in body (from JWT via requireOrganization middleware)
+ */
+export const SendInvitationSchema = z
+  .object({
+    email: EmailSchema,
+    organizationId: z.string().optional(), // For WorkOS API - but typically from JWT
+    roleSlug: MembershipRoleSchema.default('member'),
+    expiresInDays: z.number().int().min(1).max(90).default(7)
+  })
+  .strict()
+
+/**
+ * Accept invitation by token
+ * POST /invitations/accept
+ *
+ * Security:
+ * - Token validated (non-empty string)
+ */
+export const AcceptInvitationSchema = z
+  .object({
+    invitation_token: z.string().min(1, 'Invitation token is required')
+  })
+  .strict()
+
+// ============================================================================
+// Query Parameters
+// ============================================================================
+
+/**
+ * List invitations with filters
+ * GET /invitations
+ *
+ * Filters:
+ * - organizationId: Filter by organization
+ * - email: Filter by email
+ *
+ * Security:
+ * - Requires organizationId or userId filter
+ * - Email validated
+ */
+export const ListInvitationsQuerySchema = z
+  .object({
+    organizationId: z.string().optional(),
+    userId: z.string().optional(),
+    email: EmailSchema.optional(),
+    limit: z.coerce.number().int().min(1).max(100).optional(),
+    before: z.string().optional(), // WorkOS pagination cursor
+    after: z.string().optional() // WorkOS pagination cursor
+  })
+  .strict()
+  .refine((data) => data.organizationId || data.userId, { message: 'Either organizationId or userId must be provided' })
+
+// ============================================================================
+// TypeScript Type Exports
+// ============================================================================
+
+// Export inferred types for use in route handlers
+export type SendInvitationInput = z.infer<typeof SendInvitationSchema>
+export type AcceptInvitationInput = z.infer<typeof AcceptInvitationSchema>
+export type ListInvitationsQuery = z.infer<typeof ListInvitationsQuerySchema>
+export type InvitationIdParam = z.infer<typeof InvitationIdParamSchema>

package/src/auth/multi-tenancy/memberships/api-schemas.ts

@@ -1,143 +1,143 @@
-/**
- * Memberships Domain - Zod Validation Schemas
- *
- * Validation schemas for membership management endpoints.
- * Includes request bodies, query params, and path params.
- *
- * Security:
- * - All schemas use .strict() to prevent mass assignment attacks
- * - UUID validation prevents invalid references
- * - Role enum validation prevents privilege escalation
- * - organizationId never accepted in body (from JWT when needed)
- */
-
-import { z } from 'zod'
-
-// ============================================================================
-// Shared Schemas
-// ============================================================================
-
-/**
- * Membership role validation
- * Accepts any non-empty role slug (max 64 chars).
- *
- * Roles are now DB-driven via `org_rol_definitions`. Runtime validation
- * against valid slugs happens at the service layer, not here.
- */
-export const MembershipRoleSchema = z.string().min(1).max(64)
-
-/**
- * Membership status validation
- * Note: Database constraint only allows 'active' | 'inactive'
- */
-export const MembershipStatusSchema = z.enum(['active', 'inactive'])
-
-// ============================================================================
-// Path Parameters
-// ============================================================================
-
-/**
- * Validate membership ID in URL path
- * Used by: GET/PUT/DELETE /memberships/:id
- */
-export const MembershipIdParamSchema = z
-  .object({
-    id: z.string().min(1) // WorkOS membership IDs can be various formats
-  })
-  .strict()
-
-/**
- * Validate organization ID (Supabase UUID) in URL path
- * Used by: GET /memberships/my-permissions/:orgId
- */
-export const OrgIdParamSchema = z
-  .object({
-    orgId: z.string().uuid()
-  })
-  .strict()
-
-/**
- * Response shape for GET /memberships/my-permissions/:orgId
- */
-export const MyOrgPermissionsResponseSchema = z.object({
-  permissions: z.array(z.string())
-})
-
-// ============================================================================
-// Request Bodies
-// ============================================================================
-
-/**
- * Create new membership
- * POST /memberships
- *
- * Security:
- * - userId must be valid (string format for WorkOS)
- * - organizationId must be valid (string format for WorkOS)
- * - roleSlug validated as non-empty slug; service layer checks against org_rol_definitions
- * - Strict mode prevents injection
- */
-export const CreateMembershipSchema = z
-  .object({
-    userId: z.string().min(1),
-    organizationId: z.string().min(1),
-    roleSlug: MembershipRoleSchema.default('member')
-  })
-  .strict()
-
-/**
- * Update membership role
- * PUT /memberships/:id
- *
- * Security:
- * - Only roleSlug can be updated
- * - Service layer validates slug against org_rol_definitions
- */
-export const UpdateMembershipSchema = z
-  .object({
-    roleSlug: MembershipRoleSchema
-  })
-  .strict()
-
-// ============================================================================
-// Query Parameters
-// ============================================================================
-
-/**
- * List memberships with filters
- * GET /memberships
- *
- * Filters:
- * - userId: Filter by user
- * - organizationId: Filter by organization
- *
- * Security:
- * - Requires at least one filter parameter
- * - String IDs validated for WorkOS format
- */
-export const ListMembershipsQuerySchema = z
-  .object({
-    userId: z.string().optional(),
-    organizationId: z.string().optional(),
-    limit: z.coerce.number().int().min(1).max(100).optional(),
-    before: z.string().optional(), // WorkOS pagination cursor
-    after: z.string().optional() // WorkOS pagination cursor
-  })
-  .strict()
-  .refine((data) => data.userId || data.organizationId, {
-    message: 'Either userId or organizationId must be provided'
-  })
-
-// ============================================================================
-// TypeScript Type Exports
-// ============================================================================
-
-// Export inferred types for use in route handlers
-export type CreateMembershipInput = z.infer<typeof CreateMembershipSchema>
-export type UpdateMembershipInput = z.infer<typeof UpdateMembershipSchema>
-export type ListMembershipsQuery = z.infer<typeof ListMembershipsQuerySchema>
-export type MembershipIdParam = z.infer<typeof MembershipIdParamSchema>
-export type MembershipRole = z.infer<typeof MembershipRoleSchema>
-export type MembershipStatus = z.infer<typeof MembershipStatusSchema>
-export type OrgIdParam = z.infer<typeof OrgIdParamSchema>
-export type MyOrgPermissionsResponse = z.infer<typeof MyOrgPermissionsResponseSchema>
+/**
+ * Memberships Domain - Zod Validation Schemas
+ *
+ * Validation schemas for membership management endpoints.
+ * Includes request bodies, query params, and path params.
+ *
+ * Security:
+ * - All schemas use .strict() to prevent mass assignment attacks
+ * - UUID validation prevents invalid references
+ * - Role enum validation prevents privilege escalation
+ * - organizationId never accepted in body (from JWT when needed)
+ */
+
+import { z } from 'zod'
+
+// ============================================================================
+// Shared Schemas
+// ============================================================================
+
+/**
+ * Membership role validation
+ * Accepts any non-empty role slug (max 64 chars).
+ *
+ * Roles are now DB-driven via `org_rol_definitions`. Runtime validation
+ * against valid slugs happens at the service layer, not here.
+ */
+export const MembershipRoleSchema = z.string().min(1).max(64)
+
+/**
+ * Membership status validation
+ * Note: Database constraint only allows 'active' | 'inactive'
+ */
+export const MembershipStatusSchema = z.enum(['active', 'inactive'])
+
+// ============================================================================
+// Path Parameters
+// ============================================================================
+
+/**
+ * Validate membership ID in URL path
+ * Used by: GET/PUT/DELETE /memberships/:id
+ */
+export const MembershipIdParamSchema = z
+  .object({
+    id: z.string().min(1) // WorkOS membership IDs can be various formats
+  })
+  .strict()
+
+/**
+ * Validate organization ID (Supabase UUID) in URL path
+ * Used by: GET /memberships/my-permissions/:orgId
+ */
+export const OrgIdParamSchema = z
+  .object({
+    orgId: z.string().uuid()
+  })
+  .strict()
+
+/**
+ * Response shape for GET /memberships/my-permissions/:orgId
+ */
+export const MyOrgPermissionsResponseSchema = z.object({
+  permissions: z.array(z.string())
+})
+
+// ============================================================================
+// Request Bodies
+// ============================================================================
+
+/**
+ * Create new membership
+ * POST /memberships
+ *
+ * Security:
+ * - userId must be valid (string format for WorkOS)
+ * - organizationId must be valid (string format for WorkOS)
+ * - roleSlug validated as non-empty slug; service layer checks against org_rol_definitions
+ * - Strict mode prevents injection
+ */
+export const CreateMembershipSchema = z
+  .object({
+    userId: z.string().min(1),
+    organizationId: z.string().min(1),
+    roleSlug: MembershipRoleSchema.default('member')
+  })
+  .strict()
+
+/**
+ * Update membership role
+ * PUT /memberships/:id
+ *
+ * Security:
+ * - Only roleSlug can be updated
+ * - Service layer validates slug against org_rol_definitions
+ */
+export const UpdateMembershipSchema = z
+  .object({
+    roleSlug: MembershipRoleSchema
+  })
+  .strict()
+
+// ============================================================================
+// Query Parameters
+// ============================================================================
+
+/**
+ * List memberships with filters
+ * GET /memberships
+ *
+ * Filters:
+ * - userId: Filter by user
+ * - organizationId: Filter by organization
+ *
+ * Security:
+ * - Requires at least one filter parameter
+ * - String IDs validated for WorkOS format
+ */
+export const ListMembershipsQuerySchema = z
+  .object({
+    userId: z.string().optional(),
+    organizationId: z.string().optional(),
+    limit: z.coerce.number().int().min(1).max(100).optional(),
+    before: z.string().optional(), // WorkOS pagination cursor
+    after: z.string().optional() // WorkOS pagination cursor
+  })
+  .strict()
+  .refine((data) => data.userId || data.organizationId, {
+    message: 'Either userId or organizationId must be provided'
+  })
+
+// ============================================================================
+// TypeScript Type Exports
+// ============================================================================
+
+// Export inferred types for use in route handlers
+export type CreateMembershipInput = z.infer<typeof CreateMembershipSchema>
+export type UpdateMembershipInput = z.infer<typeof UpdateMembershipSchema>
+export type ListMembershipsQuery = z.infer<typeof ListMembershipsQuerySchema>
+export type MembershipIdParam = z.infer<typeof MembershipIdParamSchema>
+export type MembershipRole = z.infer<typeof MembershipRoleSchema>
+export type MembershipStatus = z.infer<typeof MembershipStatusSchema>
+export type OrgIdParam = z.infer<typeof OrgIdParamSchema>
+export type MyOrgPermissionsResponse = z.infer<typeof MyOrgPermissionsResponseSchema>